Modifying a Directory Entry

You can use the LDAP API to add and delete directory entries and to compare and modify values within existing entries. Any of these operations can be performed either synchronously or asynchronously. Effective with LDAP 3, extensions to the add, delete, and modify functions enable you to perform these operations using controls. For more information, see Using Controls.

To make a change to a directory

1. Create an LDAPMod structure, assigning the appropriate values to each member of the structure.

   For multiple changes, or to add an entry, create a separate LDAPMod structure for each attribute or change.

2. Pass these structures as an array when you call the modification function.

Ramifications of User Account Control

The introduction of User Account Control in Windows Server 2008 and Windows Vista has a very important consequence with regard to making modifications or additions in LDAP. When a user is logged on to a DC with a restricted UAC Administrator token and using NULL credentials, any modification or addition to the directory, or any schema change operation, will fail. This includes DirSync searches, retrieving the SACL from an object's ntSecurityDescriptor attribute when using SecurityDescriptorFlags, and many other operations. These will all fail with insufficient access rights. To work around this, either run the command from an elevated-credential command prompt or use explicit credentials.